b'      Department of Homeland Security\n\n\n\n\n\n                 DHS Can Take Actions To Address \n\n            Its Additional Cybersecurity Responsibilities \n\n\n\n\n\nOIG-13-95                                                June 2013\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                      June 5, 2013\n\nMEMORANDUM FOR:               Bobbie Stempfley\n                              Acting Assistant Secretary\n                              Office of Cybersecurity and Communications\n                              National Protection and Programs Directorate\n\nFROM:                         Frank W. Deffer\n                              Assistant Inspector General\n                              Office of Information Technology Audits\n\nSUBJECT:                      DHS Can Take Actions To Address Its Additional\n                              Cybersecurity Responsibilities\n\nAttached for your action is our final report, DHS Can Take Actions To Address Its Additional\nCybersecurity Responsibilities. We incorporated the National Protection and Programs\nDirectorate\xe2\x80\x99s formal comments in the final report.\n\nThe report contains six recommendations aimed at addressing the National Protection and\nPrograms Directorate\xe2\x80\x99s cybersecurity responsibilities to improve the security posture of the\nFederal Government. The National Protection and Programs Directorate concurred with all\nrecommendations. As prescribed by the Department of Homeland Security Directive\n077-01, Follow-Up and Resolutions for Office of Inspector General Report Recommendations,\nwithin 90 days of the date of this memorandum, please provide our office with a written\nresponse that includes your (1) agreement or disagreement, (2) corrective action plan, and\n(3) target completion date for each recommendation. Also, please include responsible\nparties and any other supporting documentation necessary to inform us about the current\nstatus of the recommendation. Until your response is received and evaluated, the\nrecommendations will be considered open and unresolved.\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies\nof our report to appropriate congressional committees with oversight and appropriation\nresponsibility over the Department of Homeland Security. We will post the report on our\nwebsite for public dissemination\n\nPlease call me with any questions, or your staff may contact Chiu-Tong Tsang, Director,\nInformation Security Audit Division, at (202) 254-5472.\n\nAttachment\n\n\n\n\n\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                             Department of Homeland Security\n\n\n   Table of Contents\n   Executive Summary............................................................................................................. 1\n\n   Background ......................................................................................................................... 2\n\n   Results of Audit .................................................................................................................. 5\n\n              Actions Taken To Improve Cybersecurity at Federal Agencies............................... 5\n              Strategic Implementation Plan Needed for Effective Cybersecurity Oversight .... 6\n              Recommendations ................................................................................................. 7\n              Management Comments and OIG Analysis ........................................................... 7\n\n              Improved Communication and Collaboration With\n              Federal Agencies Can Help Improve the FISMA Reporting Process ....................... 8\n              Recommendations ............................................................................................... 10\n              Management Comments and OIG Analysis ......................................................... 10\n\n              CS&C Does Not Maintain an Adequate Security Training\n              Program for Contractors ....................................................................................... 12\n              Recommendation ................................................................................................. 13\n              Management Comments and OIG Analysis ......................................................... 13\n\n              Technical Enhancements Can Improve CyberScope Security ............................... 13\n              Recommendation ................................................................................................. 14\n              Management Comments and OIG Analysis ......................................................... 15\n\n   Appendixes\n              Appendix A:          Objectives, Scope, and Methodology ............................................ 16\n              Appendix B:          Management Comments to the Draft Report ............................... 17\n              Appendix C:          Major Contributors to This Report ................................................ 20\n              Appendix D:          Report Distribution ........................................................................ 21\n\n   Abbreviations\n              CDM                   Continuous Diagnostics Mitigation\n              CIO                   Chief Information Officer\n              CONOPS                Concept of Operations\n              CPM                   Cybersecurity Performance Management\n              CS&C                  Office of Cybersecurity and Communications\nwww.oig.dhs.gov                                                                                                                  OIG-13-95\n\x0c                      OFFICE OF INSPECTOR GENERAL\n                        Department of Homeland Security\n\n\n           DHS     Department of Homeland Security\n           FISMA   Federal Information Security Management Act\n           FNR     Federal Network Resilience\n           FY      fiscal year\n           ISSO    Information System Security Officer\n           IT      information technology\n           NIST    National Institute of Standards and Technology\n           NPPD    National Protection and Programs Directorate\n           OCIO    Office of the Chief Information Officer\n           OIG     Office of Inspector General\n           OMB     Office of Management and Budget\n           TIC     Trusted Internet Connection\n\n\n\n\nwww.oig.dhs.gov                                                     OIG-13-95\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nExecutive Summary\nIn 2010, the Office of Management and Budget designated the Department of\nHomeland Security (DHS) with the primary responsibilities of overseeing the\nFederal-wide information security program and evaluating its compliance with the\nFederal Information Security Management Act of 2002. The National Protection and\nPrograms Directorate (NPPD), which is primarily responsible for fulfilling DHS security\nmissions, assumed this responsibility for the Department. Subsequent to the\nPresident\xe2\x80\x99s issuance of Executive Order 13618 in July 2012, NPPD\xe2\x80\x99s Office of\nCybersecurity and Communications was reorganized in an effort to promote security,\nresiliency, and reliability of the Nation\xe2\x80\x99s cyber and communications infrastructure.\n\nWe audited NPPD to determine whether the Office of Cybersecurity and\nCommunications has implemented its additional cybersecurity responsibilities\neffectively to improve the security posture of the Federal Government.\n\nThe Federal Network Resilience division, within the Office of Cybersecurity and\nCommunications, has taken actions to address its assigned responsibilities and to\nimprove the information security posture at Government agencies. For example, the\nFederal Network Resilience division manages the annual Federal Information Security\nManagement Act reporting process and takes an active approach toward evaluating\nagencies\xe2\x80\x99 compliance with the President\xe2\x80\x99s cybersecurity initiatives. Further, it conducts\ninformation security assessments at selected Federal agencies.\n\nAlthough actions have been taken, NPPD can make further improvements to address its\nadditional cybersecurity responsibilities. For example, the Federal Network Resilience\ndivision must develop a strategic implementation plan to define its long-term goals on\nimproving agencies\xe2\x80\x99 information security programs. Further, increased communication\nand coordination with Government agencies can improve the Federal Information\nSecurity Management Act reporting process. Finally, NPPD must address deficiencies in\nmaintaining and tracking the training records of CyberScope contractor personnel and\nimplement the required DHS baseline configuration settings.\n\nWe are making six recommendations to the Acting Assistant Secretary, Office of\nCybersecurity and Communications. NPPD concurred with all recommendations and has\nbegun to take actions to implement them. NPPD\xe2\x80\x99s responses are summarized and\nevaluated in the body of this report and are included, in their entirety, as appendix B.\n\n\n\n\nwww.oig.dhs.gov                             1                                    OIG-13-95\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nBackground\nTo help secure agency information systems against cyber threats, the Federal\nInformation Security Management Act of 2002 (FISMA) was enacted to set forth a\ncomprehensive framework for ensuring effective information security.1 To ensure the\nimplementation of this framework, FISMA assigned specific responsibilities to the Office\nof Management and Budget (OMB) to develop and oversee the implementation of\npolicies and standards on information security.\n\nOn July 6, 2010, OMB designated DHS with the primary responsibility of overseeing a\nFederal-wide information security program designed to better protect Federal agencies\xe2\x80\x99\ninformation systems and networks.2 NPPD, which serves as the lead for protecting and\nenhancing the resilience of the Nation\xe2\x80\x99s physical and cyber infrastructure, assumed this\nresponsibility for the Department.\n\nNPPD\xe2\x80\x99s Office of Cybersecurity and Communications (CS&C) is responsible for\ndeveloping and collecting FISMA metrics, in conjunction with OMB, that are submitted\neither annually or quarterly by the Office of Chief Information Officer (OCIO) and Office\nof Inspector General (OIG) at each agency. In addition, Federal agencies are required to\nprovide monthly information security and vulnerability data feeds through a web-based\napplication, CyberScope, allowing for improved risk-management decisions and\nincreased situational awareness.3\n\nTo gain access to CyberScope, users must authenticate with their Homeland Security\nPresidential Directive 12 compliant credential that contains a digital certificate and\npersonal identification number through OMB\xe2\x80\x99s Max Portal.4 Authenticated users are\nthen directed to CyberScope to input or review FISMA-related data. Figure 1 shows a\nhigh-level view of CyberScope\xe2\x80\x99s system and encryption architecture.\n\n\n\n\n1\n  Federal Information Security Management Act of 2002 (Public Law 107-347, Section 301-305).\n2\n  OMB M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the\nDepartment of Homeland Security (DHS), July 6, 2010, assigned DHS with the primary responsibility within the\nExecutive Branch for the operational aspects of Federal agency cybersecurity regarding Federal information systems\nthat fall within FISMA.\n3\n  Agencies must load data from their security management tools into CyberScope on a monthly basis. Small and\nmicro agencies are not required to submit monthly data feeds.\n4\n  An OMB waiver is required for agencies to use single-factor authentication (username and password) to access\nCyberScope.\n\n\nwww.oig.dhs.gov                                            2                                                 OIG-13-95\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\nFigure 1. CyberScope System Architecture and Encryption Elements \n\n\n\n\n\nFurther, DHS has been tasked with developing, managing, and overseeing OMB\xe2\x80\x99s\nTrusted Internet Connection (TIC) initiative for the Federal Government.5 Identified as\none of the Administration\xe2\x80\x99s three priorities to improve cybersecurity and the security of\nFederal information systems, the TIC initiative aims to further improve agencies\xe2\x80\x99\nsecurity posture and incident response capabilities through enhanced monitoring and\nsituational awareness of all external network connections.6\n\nAdditionally, the President issued Executive Order 13618 to improve emergency\ncommunication throughout the Federal Government.7 Under the Executive Order, DHS\nwas required to provide the President with a detailed plan within 60 days of issuance,\ndescribing the organization and management structure for its national\nsecurity/emergency preparedness communications functions. Subsequently, CS&C was\nreorganized in October 2012 to support these requirements better and improve the\nsecurity and dependability of the Nation\xe2\x80\x99s cyber and communications infrastructure.\nSpecifically, CS&C is now composed of five divisions: Federal Network Resilience (FNR),\n\n5\n  OMB M-08-05, Implementation of Trusted Internet Connections (TIC), November 20, 2007, established the TIC\ninitiative, which requires departments and agencies to secure Federal external network connections, including\nInternet connections, and improve the government\'s incident response capability by reducing the number of\nagencies\' external network connections and implementing security controls over the connections that remain.\n6\n  The three Administrative Cybersecurity Priorities are continuous monitoring of Federal information systems, TIC\ncapabilities and traffic consolidation, and strong authentication with Homeland Security Presidential Directive 12\ncompliant credentials for logical access control.\n7\n  Executive Order 13618, Assignment of National Security and Emergency Preparedness (NS/EP) Communications\nFunctions, was issued on July 6, 2012.\n\n\nwww.oig.dhs.gov                                           3                                                OIG-13-95\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nNetwork Security Deployment, National Cybersecurity and Communications Integration\nCenter, Office of Emergency Communications, and the Stakeholder Engagement and\nCyber Infrastructure Resilience divisions. Figure 2 illustrates the realignment of CS&C.\n\nFigure 2. Realigned CS&C Organizational Chart as of October 2012\n\n\n\n\nWithin the FNR division, the Cybersecurity Performance Management (CPM) Branch is\nresponsible for (1) developing and disseminating FISMA reporting metrics, (2) managing\nthe CyberScope web-based application, and (3) collecting and reviewing Federal\nagencies\xe2\x80\x99 cybersecurity data submissions and monthly data feeds. In addition, FNR\xe2\x80\x99s\nCybersecurity Assurance Program Branch is responsible for conducting cybersecurity\nreviews and assessments at Federal agencies to evaluate the effectiveness of agencies\xe2\x80\x99\ninformation security programs and compliance with OMB initiatives.\n\n\n\n\nwww.oig.dhs.gov                             4                                   OIG-13-95\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\nResults of Audit\n           Actions Taken To Improve Cybersecurity at Federal Agencies\n\n           CS&C has taken actions to implement its additional FISMA responsibilities and\n           improve the cybersecurity programs at Federal agencies. For example, CS&C has\n           assumed the responsibility to manage the annual FISMA reporting process on\n           behalf of OMB and conducted reviews and technical assessments to assess and\n           improve cybersecurity capabilities at Federal agencies. Specifically, CS&C has\xe2\x80\x94\n\n                \xe2\x80\xa2\t Developed and refined the annual FISMA reporting metrics in conjunction\n                   with OMB, which are used to assess agency information security\n                   programs and cybersecurity risks across the Federal Government. Some\n                   Federal agencies we interviewed indicated that CS&C has taken positive\n                   steps to refine the annual reporting metrics by including agencies\xe2\x80\x99 input\n                   and feedback into the process.\n\n                \xe2\x80\xa2\t Conducted seven CyberStat reviews, as of October 2012, to assist Federal\n                   agencies in identifying capability limitations and developing action plans\n                   to improve information security operations.8\n\n                \xe2\x80\xa2\t Developed the Department of Homeland Security Plan for Organization\n                   and Management of National Security and Emergency Preparedness\n                   (NS/EP) Communications Functions in September 2012, as required by\n                   Executive Order 13618. The plan presents a unified strategy that\n                   identifies clear cybersecurity and communications roles and\n                   responsibilities and sets the conditions for more effective management.\n\n                \xe2\x80\xa2\t Implemented effective security controls to protect the information\n                   stored and processed by CyberScope. Our vulnerability and configuration\n                   reviews only identified a few weaknesses.\n\n                \xe2\x80\xa2\t Authorized CyberScope to operate in accordance with applicable DHS,\n                   National Institute of Standards and Technology (NIST), and OMB\n                   guidance. Our review of the CyberScope security authorization package\n                   did not reveal any significant deficiencies.\n\n\n\n\n8\n    CyberStat sessions include DHS, OMB, and agency team representatives working together to examine program data.\n\n\nwww.oig.dhs.gov                                          5\t                                            OIG-13-95\n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n           \xe2\x80\xa2      Performed 18 network and TIC assessments in fiscal year (FY) 2012 to\n                  evaluate the security posture, compliance with OMB cybersecurity\n                  initiatives, and identify areas of improvement at selected agencies.\n\n       Despite these efforts, CS&C can take further actions to implement its additional\n       cybersecurity responsibilities. For example, developing a strategic\n       implementation plan and improving the communication and coordination with\n       Federal agencies will help CS&C refine the FISMA reporting metrics and better\n       evaluate agency information security programs. In addition, CS&C must\n       establish a process to ensure that CyberScope contractor personnel receive\n       adequate security training to perform their job functions. Finally, CS&C must\n       configure CyberScope in accordance with DHS guidance.\n\n       Strategic Implementation Plan Needed for Effective Cybersecurity Oversight\n\n       FNR has not developed a strategic implementation plan that describes its\n       cybersecurity responsibilities or establishes specific timeframes and milestones\n       to provide a clear plan of action for fulfilling its cybersecurity responsibilities. In\n       addition, FNR has not established performance metrics to measure and monitor\n       its progress in accomplishing its mission and goals. As a result, FNR cannot ensure\n       that it is effectively overseeing Federal agencies\xe2\x80\x99 information security programs.\n\n       Further, although FNR has developed policies and standard operating\n       procedures that specify its responsibilities and key cybersecurity activities, many\n       of these documents are in draft. In addition, FNR has not developed long-term\n       cybersecurity goals and identified medium-term steps or milestones for Federal\n       agencies to accomplish the long-term goals. Without the long-term goals, CS&C\n       will have difficulty determining whether the CPM program is effective in\n       achieving the desired results to strengthen the security posture of the Federal\n       Government.\n\n       Management turnover has hindered CS&C\xe2\x80\x99s ability to develop a strategic\n       implementation plan. Specifically, key leadership personnel have departed CS&C\n       within the past year, including the Assistant Secretary of CS&C in January 2013,\n       Director of FNR (previously known as Federal Network Security) in July 2012, and\n       the CPM Branch Chief in March 2013. In addition, the issuance of Executive\n       Order 13618 triggered a comprehensive review of DHS\xe2\x80\x99 cybersecurity roles and\n       responsibilities, which resulted in CS&C\xe2\x80\x99s reorganization into five new divisions in\n       October 2012. As a result, CS&C has to change its draft strategic implementation\n       plan to reflect the revised organizational structure and incorporate new\n       management priorities.\n\n\n\nwww.oig.dhs.gov                               6                                      OIG-13-95\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n            The GPRA Modernization Act of 2010 requires the development of a strategic\n            implementation plan that identifies the major functions and operations of an\n            agency.9 The plan should include general goals and objectives and a description\n            of how those goals and objectives can be achieved. It should cover at least four\n            years following the fiscal year in which the plan is developed. According to OMB\n            guidance, performance measures are developed to monitor a program\xe2\x80\x99s\n            accomplishments and determine whether results are being achieved. In addition,\n            performance measures must be based on a program\xe2\x80\x99s mission and priorities. In\n            some instances where the outcome of a program may not be realized for many\n            years, a program should identify specific short- and medium-term milestones to\n            accomplish long-term performance goals. Appropriate performance goals\n            should include performance measures and targets, outcomes, and annual and\n            long-term measures and targets.\n\n            Without a strategic implementation plan that specifies long-term goals and\n            performance metrics, it may be difficult for CS&C FNR to manage and evaluate\n            Federal agencies\xe2\x80\x99 information security programs effectively. In addition, given\n            the complexity of managing a Federal-wide program and frequent organizational\n            changes, a comprehensive strategic implementation plan will help CS&C FNR\n            achieve its key objectives and milestones.\n\n            Recommendations\n\n            We recommend that the Acting Assistant Secretary, CS&C:\n\n            Recommendation #1: Coordinate with OMB to develop a strategic\n            implementation plan, which identifies long-term goals and milestones, for\n            Federal agency FISMA compliance.\n\n            Recommendation #2: Update and finalize internal operating procedures and\n            guidance documents to ensure that cyber responsibilities and procedures are\n            clearly defined.\n\n            Management Comments and OIG Analysis\n\n            NPPD concurred with recommendation 1. FNR is currently engaged with OMB,\n            NIST, and the Chief Information Officer (CIO) community in a sustained effort to\n            strategically align Continuous Diagnostics and Mitigation (CDM) capabilities,\n            direction, and governance with the requirements and imperatives of the FISMA\n            compliance regime. The overarching aim of the strategic alliance will further\n\n9\n    GPRA Modernization Act of 2010 (Public Law 111-352).\n\n\nwww.oig.dhs.gov                                            7                        OIG-13-95\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\n       advance performance and produce measurable results. OMB is being provided\n       with short-, mid-, and long-term concept of operations (CONOPs) roadmaps for\n       CDM via the Joint Continuous Monitoring Working Group. FNR is also working\n       directly with NIST to map measurements to controls. These collaborations are\n       directly influencing OMB guidance to departments and agencies, including the\n       revision of OMB Circular A-130. Suggested exit criteria are the Joint Continuous\n       Monitoring Working Group CONOPs containing short-, mid-, and long-range CDM\n       roadmaps; deliverables related to the CDM capability model; and CDM control\n       mappings.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n       NPPD concurred with recommendation 2. FNR has finalized all of its internal\n       standard operating procedures for FISMA reporting and metric guidance,\n       cybersecurity performance reviews, and performance analysis. Operational\n       process and procedure documents for the CPM branch are consolidated in the\n       single document; \xe2\x80\x98Cybersecurity Performance Management Operations Guide\n       v1.0\xe2\x80\x99. In addition, FNR has updated their CONOPs in Performance Management\n       Concept of Operations (CONOPs), v2.0. The Operations Guide v1.0 and CONOPs\n       v2.0 are currently under final review and will be shared as soon as they are\n       signed.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n       Improved Communication and Collaboration With Federal Agencies Can Help\n       Improve the FISMA Reporting Process\n\n       CS&C FNR can improve communication and collaboration with Federal agencies\n       to enhance the annual FISMA reporting process. Although agency representatives\n       said that CS&C has taken actions, some agencies indicated that CS&C FNR can\n       make further improvements to the clarity and quality of the FISMA reporting\n       metrics and enhance the levels of communication regarding agencies\xe2\x80\x99\n       vulnerability submissions.\n\n       We collected comments from 10 Federal agencies and representatives from the\n       Chief Information Security Officer Council and Federal Audit Executive Council to\n       obtain their perspective on the FISMA reporting metrics and monthly\n\n\n\nwww.oig.dhs.gov                            8                                    OIG-13-95\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n         CyberScope vulnerability data submissions.10 We also gathered comments\n         regarding the cybersecurity assessments conducted by CS&C FNR at selected\n         Federal agencies.\n\n         Five agencies indicated that some of the FY 2012 and FY 2013 FISMA reporting\n         metrics were unclear and should be revised to reduce ambiguity. For example,\n         one agency stressed the need for additional descriptions and details in the\n         reporting metrics and would like for CyberScope to include dialog or pop-up\n         boxes within the application. Its representatives stated that this enhancement\n         would ensure that agencies are providing DHS and OMB with the information to\n         assess properly Federal agencies\xe2\x80\x99 information security programs. In addition,\n         two agencies stated that the annual FISMA reporting process is a strain on\n         available personnel resources as DHS and OMB are developing too many metrics.\n\n         Further, one agency stated that, instead of spending resources to implement\n         technical controls and automated capabilities to monitor and protect its\n         networks, it had to divert available funding to ensure FISMA compliance and\n         address the annual reporting metrics. In addition, two agencies indicated that\n         the recent reporting metrics are paperwork driven and do not reflect the current\n         effort for a Federal-wide continuous monitoring programs.11 As a result, these\n         agencies expressed concerns on the inefficient use of resources. For example,\n         they must divide available resources between continuous monitoring efforts and\n         those associated with outdated criteria, such as FISMA legislation, OMB Circular\n         A-130, and some NIST publications.\n\n         Federal agencies are required to submit various data elements monthly, such as\n         configuration management, vulnerability data, and audit trails.12 DHS has been\n         collecting these data since 2011. Three agencies indicated that they have\n         received little or no reaction from DHS regarding their monthly vulnerability\n         submissions. For example, agencies stated that DHS has not provided any\n         detailed information, such as trending analysis, regarding their monthly\n         vulnerability data submissions. In addition, one agency stated that it did not\n         know how or whether DHS used or evaluated its submitted data.\n\n\n10\n   The 10 Federal agencies are the Board of Governors of the Federal Reserve System; the Departments of Energy,\nHealth and Human Services, Homeland Security, Interior, Justice, State, and Treasury; the Securities and Exchange\nCommission; and the Office of Personnel Management.\n11\n   NIST defines continuous monitoring as maintaining ongoing awareness of information security, vulnerabilities, and\nthreats to support organizational risk management decisions. Continuous monitoring, a critical aspect of the\norganization-wide risk management process, is most effective when automated mechanisms are employed where\npossible.\n12\n   OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management, September 14, 2011, requires agencies to establish monthly data feeds to CyberScope.\n\n\nwww.oig.dhs.gov                                           9                                               OIG-13-95\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n            According to the former CPM Branch Chief and internal procedures, CPM is not\n            performing detailed analysis of monthly vulnerability submissions provided\n            through CyberScope.13 Because of insufficient staff resources, CPM acknowledged\n            that it may not be able to satisfy all of its requirements and responsibilities,\n            including project management, communications, and outreach efforts.14\n\n            Improved communication and collaboration with Federal agencies would allow\n            DHS to improve the quality and clarity of the annual FISMA reporting metrics.\n            Without clear and concise reporting metrics, it may be difficult for Federal\n            agencies to provide accurate information regarding the status of their information\n            security programs. As a result, DHS\xe2\x80\x99 and OMB\xe2\x80\x99s ability to properly assess FISMA\n            compliance across the enterprise may be hindered. Finally, if the Department\n            does not provide detailed analyses regarding agency data, it may be difficult for\n            Federal agencies to identify potential vulnerability trends or properly secure\n            their information systems and networks.\n\n            Recommendations\n\n            We recommend that the Acting Assistant Secretary, CS&C:\n\n            Recommendation #3: Improve communication and coordination with Federal\n            agencies by providing additional clarity regarding the FISMA reporting metrics.\n\n            Recommendation #4: Implement a process to analyze and provide detailed\n            feedback to Federal agencies concerning monthly vulnerability data feeds.\n\n            Management Comments and OIG Analysis\n\n            NPPD concurred with recommendation 3. FNR\xe2\x80\x99s CPM branch is committed to\n            continuous improvement. CPM has dedicated mechanisms in place for\n            developing and vetting metrics and guidance using subject matter experts in full\n            collaboration with OIG and CIO communities. Working groups are currently\n            being held with representatives of the OIG community and subgroups of the\n            Information Security and Identity Management Committee in order to\n            incorporate feedback in the development of the FY 2014 metrics. As the OIG\n            report notes, the Federal community has experienced improvements in the\n            FISMA reporting process. Those improvements are due in large part to FNR\xe2\x80\x99s\n            commitment to continuous improvement, and FNR fully expects each successive\n            round of metrics to be an improvement over the previous round. In addition,\n\n13\n     Cybersecurity Performance Analytics Standard Operating Procedures, April 26, 2012.\n14\n     Cybersecurity Performance Management Mission Needs Statement, April 23, 2012.\n\n\nwww.oig.dhs.gov                                            10                             OIG-13-95\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n       the CPM branch will produce the following additions to the Cybersecurity\n       Performance Management Operations Guide v1.0: (a) stakeholder awareness\n       matrix that outlines communication activities; (b) service descriptions that\n       include procedures, practices, and expectations for collaboration with and\n       support of Federal agencies; and (c) an impact matrix that identifies specific\n       criteria for assessing the quality of a question.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n       NPPD concurred with recommendation 4. NPPD stated that the current data\n       feeds do not provide the fidelity or reliability required to provide a detailed\n       vulnerability picture. The current data feeds are useful for informing decision\n       makers of large-scale trends and possible threats concerning the existence of\n       unsupported (end-of-life) operating system and software. The feeds also\n       provide useful (though rough) situational awareness data regarding the types of\n       monitoring tools being used and the fullness of current implementations.\n\n       Resources are assigned and analysis is under way to glean additional useful\n       vulnerability data from the feeds. However, the CyberScope data feeds must be\n       seen as a transitional activity in the bigger picture of CDM. The feeds constitute\n       an important first step in achieving the enterprise view essential to a successful\n       continuous monitoring program. The alignment of tools, standards, resources,\n       governance, and operations needed to bring about the feeds constitute a\n       significant early success and critical baseline in the evolution of CDM.\n\n       Additionally, the CPM branch in coordination with CDM program resources will\n       produce a transition plan. The transition plan will identify the tasks and activities\n       involved in moving from the Cyberscope data feeds to the CDM dashboard. It\n       will include the following elements: a scope statement addressing background\n       information on the project; a description of the relationship of the project to\n       other projects and/or organizations; maintenance resources; and identification\n       of the transition team\xe2\x80\x99s responsibilities. It also includes the deployment\n       schedule, resource estimates, management controls, reporting procedures, and\n       risks and contingencies.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n\n\n\nwww.oig.dhs.gov                             11                                     OIG-13-95\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n         CS&C Does Not Maintain an Adequate Security Training Program for Contractors\n\n         CS&C has not established an effective process to ensure that its CyberScope\n         contractors (i.e., system administrators) have received the required security\n         awareness or adequate specialized role-based training, commensurate with\n         assigned responsibilities. Specifically, CS&C does not maintain records or\n         provide documentation to support that these contractors have received DHS\xe2\x80\x99\n         security awareness or specialized information technology (IT) training. We\n         identified a similar finding in our 2011 report.15\n\n         According to the CyberScope Information System Security Officer (ISSO), FNR\n         does not have a process to maintain training records for CyberScope contractors\n         or ensure that all training requirements have been completed. Additionally,\n         CS&C does not require contractors to receive any specialized IT training in\n         addition to what is mandated by the hosting facility.\n\n         FISMA requires agencies to provide employees, contractors, and other users of\n         information systems with security awareness and specialized IT training annually.\n         The training is designed to inform personnel about the risks associated with their\n         activities when accessing government information systems and their\n         responsibilities in complying with agency policies and procedures designed to\n         reduce these risks. DHS also requires components to establish an information\n         security training program for its users, which includes security awareness and\n         specialized IT training for those with significant security responsibilities. ISSOs\n         are also required to maintain training records for users and system personnel.\n\n         Without an effective process to track training completion, CyberScope contractors\n         may not have received the appropriate skills or knowledge to properly\n         administer and secure the systems against potential cyber threats. In addition,\n         the skills and knowledge required to maintain and improve system operations\n         may not be developed. Training helps personnel obtain knowledge about\n         current security threats, risks, trends, and mitigation techniques. CS&C cannot\n         guarantee the security of the data collected through CyberScope without\n         ensuring that all people involved understand their roles and responsibilities and\n         are adequately trained to perform them.\n\n\n\n\n15\n  Planning, Management, and Systems Issues Hinder DHS\xe2\x80\x99 Efforts To Protect Cyberspace and the Nation\xe2\x80\x99s Cyber\nInfrastructure (OIG-11-89, June 2011).\n\n\nwww.oig.dhs.gov                                        12                                             OIG-13-95\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\n       Recommendation\n\n       We recommend that the Acting Assistant Secretary, CS&C:\n\n       Recommendation #5: Establish a process to ensure that all CyberScope\n       contractor system administrators have received adequate security training in\n       compliance with applicable DHS, OMB, and NIST guidance.\n\n       Management Comments and OIG Analysis\n\n       NPPD concurred with recommendation 5. FNR is developing a standard\n       operating procedure that defines the procedural controls for tracking\n       CyberScope administrators to ensure that training meets or exceeds applicable\n       DHS, OMB, and NIST guidance.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n       Technical Enhancements Can Improve CyberScope Security\n\n       CS&C has not implemented all DHS security controls on its CyberScope database,\n       which may allow unauthorized individuals to gain access to sensitive data. To\n       assess the security posture of CyberScope, we interviewed selected IT and\n       program management personnel. In addition, we performed vulnerability\n       assessments on the web and database servers. We also reviewed configuration\n       settings on selected servers for compliance with applicable DHS Sensitive\n       Systems Configuration Guidance.\n\n       Implementing the Required Configuration Settings Can Further Secure\n       CyberScope\n\n       Although CS&C has implemented effective controls on CyberScope, the database\n       was not configured with all required DHS baseline configuration settings to\n       protect the information it stores. For example, we evaluated whether selected\n       security controls, such as access control, identification and authentication,\n       encryption, and network security settings were implemented on CyberScope.\n       We identified the following three instances of noncompliance:\n\n           \xe2\x80\xa2\t A guest account exists on a database that may allow an unauthorized\n              user to gain anonymous access. DHS guidance prohibits the use of guest\n              accounts on databases.\n\n\nwww.oig.dhs.gov                           13\t                                 OIG-13-95\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n              \xe2\x80\xa2\t A default account has not been disabled or renamed. The use of\n                 well-known default accounts increases the risks that individuals may gain\n                 unauthorized access to the database. DHS requires all default accounts\n                 be renamed or disabled.\n\n              \xe2\x80\xa2\t Elevated permissions have been granted to a public group which may\n                   allow users to get sensitive system information in the Windows registry.16\n                   DHS requires that users be granted the most restrictive set of privileges\n                   needed to perform their assigned tasks.\n\n         Subsequent to the completion of our audit work, CS&C personnel stated that\n         they had taken or planned to take corrective action to address the deficiencies\n         identified during our vulnerability assessment. As fieldwork had already been\n         completed, we did not verify whether the deficiencies had been remedied.\n\n         DHS baseline configuration guidance provides the settings and parameters for\n         ensuring a minimum baseline of security when installing or configuring\n         databases, such as access control, identification and authentication, auditing,\n         and encryption requirements. The guidance should be used to help protect\n         databases from potential software flaws and help reduce the likelihood of\n         potential threats, including unauthorized access or hacks. In addition, FISMA\n         requires that all systems meet minimally acceptable system configuration\n         requirements, as determined by the agency.\n\n         When databases are not properly configured, unauthorized individuals could\n         gain access to sensitive data. As a result, DHS cannot ensure that effective\n         security controls have been implemented, restricting the ability of management\n         officials to make effective, risk-based decisions.\n\n         Recommendation\n\n         We recommend that the Acting Assistant Secretary, CS&C:\n\n         Recommendation #6: Implement all required DHS baseline configuration\n         settings on the CyberScope database.\n\n\n\n\n16\n  A Microsoft Windows registry is a hierarchical database that stores configuration settings, and keeps track of the\nsoftware installed on the computer and how each program relates to others.\n\n\nwww.oig.dhs.gov                                           14\t                                              OIG-13-95\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n                          Department of Homeland Security\n\n\n       Management Comments and OIG Analysis\n\n       NPPD concurred with recommendation 6. Cyberscope system operators are\n       expected to adhere to all required DHS baseline configuration settings.\n       CyberScope, like any other hosted application, is subject to configuration\n       management policies and procedures. Furthermore, CyberScope is subject to\n       continuous vulnerability scanning and configuration audits. FNR provided\n       documentation to OIG in early March that addresses the remaining finding. FNR\n       continues to work within DHS to ensure that all DHS baseline configuration\n       settings are set and maintained within CyberScope.\n\n       We agree that the steps that NPPD plans to take begin to satisfy this\n       recommendation. This recommendation will remain open until NPPD provides\n       documentation to support that planned corrective actions are completed.\n\n\n\n\nwww.oig.dhs.gov                          15                                 OIG-13-95\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix A\nObjectives, Scope, and Methodology\nDHS OIG was established by the Homeland Security Act of 2002 (Public Law 107-296) by\namendment to the Inspector General Act of 1978. This is one of a series of audit,\ninspection, and special reports prepared as part of our oversight responsibilities to\npromote economy, efficiency, and effectiveness within the Department.\n\nThe objective of our audit was to determine whether NPPD has effectively implemented\nits additional cybersecurity responsibilities to improve the security posture of the\nFederal Government. Specifically, we determined the progress and effectiveness of\nNPPD\xe2\x80\x99s actions in (1) implementing its FISMA cybersecurity responsibilities,\n(2) overseeing the TIC initiative, and (3) addressing Executive Order 13618 regarding\nDHS\xe2\x80\x99 national security/emergency preparedness communications functions and\nresponsibilities. We also determined whether NPPD has implemented effective system\nsecurity controls to protect sensitive information stored and processed by the DHS\nCyberScope system, including a review of its security documentation to assess\ncompliance with applicable DHS, NIST, and OMB policies and guidance.\n\nTo determine the effectiveness of NPPD actions in implementing its FISMA cybersecurity\nresponsibilities, we interviewed selected CS&C personnel and management officials.\nWe also collected comments from OIG and OCIO personnel from 10 Federal agencies\nand representatives from the Chief Information Security Officer Council and Federal Audit\nExecutive Council. In addition, we reviewed and evaluated CS&C security policies,\nstandard operating procedures, training data, and other appropriate documentation.\nBecause of the recent issuance of Executive Order 13618 and its early stage of\nimplementation, we did not perform a compressive evaluation on NPPD\xe2\x80\x99s actions and\nrequirements. We also conducted automated security assessments using Tenable\nNessus and Application Security, Inc. AppDetective Pro on databases and operating\nsystems. Finally, we reviewed CyberScope configuration settings, cryptography\nimplementation, vulnerability assessment processes, and patch management.\n\nFieldwork was performed in the Washington, DC, area. We conducted this\nperformance audit between October 2012 and March 2013 pursuant to the Inspector\nGeneral Act of 1978, as amended, and according to generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based upon our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based upon our\naudit objectives.\n\n\n\nwww.oig.dhs.gov                            16                                   OIG-13-95\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\nAppendix B\nManagement Comments to the Draft Report\n\n                                                                                   Nllliorr"ll+oUcf;on ,,,rd I\'roKfUIr" o;\'W(}fu/e\n                                                                                    u.s. Dep~rt"\'ut of lIom.t.nd SHurity\n                                                                                    Wuhlnglon, [)C 20.\'i2H\n\n\n                                                                             "1~\'         Homeland\n                                                                             9            Security\n           ~1r. Charles K. Edwards\n           Deputy JIlSpeClUf Genera l\n           Office of Inspector General\n           C.S. Department of Homeland Sec uriLy\n           Washington, DC 20528\n\n           Dear Mr. Edwards:\n\n           Re: Office of Inspector General Report, DHS Can rake Actions to Address Its Additiorml\n               Cybersccurity Responsibilities (010 Project No. 12\xc2\xb7171-ITA-NPPD)\n\n           Thank you for the opportunity to review and comment on this draft report. The U.S. Department\n           of Homeland SecuriLY ( DHS) appreciates the Office of Inspector General\'s (DIG) work in\n           planning and conducting its review and issuing this report.\n\n           The National Protection and Programs Directorate (NPPD) is pleased thnt the OIG highlighted\n           accompl ishments regarding actions takt:n by the Office of Cyher:\'>ecurity and Communicat ions\'\n           (CS&C) Federal Network Resilience (FNR) division to implement its additional eybersecurity\n           responsibilities effectively. Specifically, the report recogni:Gc:s improvements made to the\n           Federa llnfonnation Security Management Act (FISMA) reporting process and progress made in\n           assisting with the improvement of cybersecurity programs at Federal agencies.\n\n           The FNR has developed and refined the rumual FISMA reporting metrics, in coordination with\n           the Office of Management and Rudget (OMB), ~md has conducted seven CyberStat reviews since\n           October 2012. As a result, FNR was able to support Federal agency efforts to identify capability\n           limitations and to develop act ion plans that work to improve information security operations. In\n           addition, 18 network and Trusted Internet Connection assessments were pcrfonned in\n           FY 2012, which evaluated security postme and cOlilpliant:c with OMR cyhersccurity initiatives.\n           It\'s important to note that FNR is currently deploying a proven diagnostic technology across the\n           .gov realm that automatically scans govemmeni networks every thrc:1! days, thus enabling\n           agencies to ident ify and repair the worst network problems first. This automated Conti nuous\n           Diagnostics and Mitigation (COM) program will replace costly and infrequent manual\n           inspections of systems.\n\n           Si)\\ recolllmendatiuns were made to the CS&C Acting Assistant Secretary\xc2\xb7\n\n           Recommendation 1: Coordinate with OMB to devdop a strategic implementaTion plan which\n           identifies long-term goals and milestones for Federal a\xc2\xa3ency FISMA compliance.\n\n           Response: Concur. FNR is currently engaged with OMB, the Nat ional Institute of Standards\n           and Technology (N lST), and the C hief lnfonnation Officer (CIO) community in a s ustained\n\n\n\n\nwww.oig.dhs.gov                                           17                                                              OIG-13-95\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n\n             effort to strategically align CDM L:apabilities, direction, and governance with the requirements\n             and imperatives of the FIS.\\1A compliance regime. The overarch ing aim of the straiegic alliance\n             will further advance perfonnance and produce measurable results. OMB is being provided\n             short-, mid-, and long-term concept of operations (CONOPS) roadmaps for CDM via the Joint\n             Continuous Monitoring Working Group (JCMWG). FNR is also working directly with NlST to\n             map measurements to controls. These co llaboflltions arc directly influencing OMS guidance to\n             departments and agencies, including the revision of OMB Circular A-130. Suggested exit\n             criteria are the JCMWG CONOPs containing short-, mid-. and long-range CDM roadmaps;\n             dclivcrablcs related to the COM capability modd; and COM control mappi ngs.\n\n             Rewmmendation 2: Update and finalize interna l operating procedures and guidance\n             documents to ensure that cyhcr responsibilities and procedures are clearly defined.\n\n             Response: Concur. FN]{ has finalized all of its internal Standard Opernting Procedurcs (SOPs)\n             for FISMA reporting and metric guidance, cybersccurity pcrfonnancc reviews, and perfonnunce\n             analysis. Operational process and procedure documents for the Cybersecurity Performance\n             Management (CPM) branch are consolidated in the single documenL; \'Cybersecuril)\'\n             Performance Mallaj{emellt Operatiom\' Guide vl .O \'. In addition, fNR has updated their\n             CONOPs in Performance Management Concept a/Operations (CONO?S), v,2. O. The\n             Operations GUide vJ.O and CONO?S v2.0 are currently under final review and will be shared as\n             soon as they are signed.\n\n             Recommendation 3: Improve communication and coordination with Fcdcral agencies by\n             providing additional clarity regarding the FISMA reponing metrics.\n\n             R(sponsc: Concur. FNR\'s CPM branch is committed to continuou::; improvement. CPM has\n             dedicated mechanisms in place for develuping and vetting metrics and guidance using subject\n             matter experLs in full collaboration with lG and CIO communities. Working groups are currently\n             being held with representatives of the fG community and subgroups of the Infonnation Security\n             and Identity Management Committee in order to incorporate leedback in the development of the\n             FY 14 metrics. As the OIU report notes, the Federal community has experienced improvements\n             in the FISMA reporting process. Those improvements are due in large part to F).JR\'s\n             commitment to continuous improvement, and FNR fully expects each successive round of\n             metrics to be an improvement over the previous round. In addition, the (PM Branch will\n             produce the following addiiions to ihe Cybersf!(;urity P\xe2\x82\xacrformance Managemenr Operations\n             Guide v/.O (a) stakeholder awareness matrix that outlines communication activiti es; (h) _"ervice\n             descriptions that include procedures, practices, and expectations for collaboration with and\n             support of Federal agencies; anrl (c) an impact matrix that identifies specific criteria for assessing\n             the quality of a question.\n\n             R~ommendation 4: Implement a process to analyze and provide detailed feedback to Fcdcral\n             agencies concerning monthly vulnerability data fceds.\n\n             Response: Concur. The data feeds however currently do nut pruvide the fidelity or reliability\n             required to provide a detailed vulnerability picture. The current data feeds are w;eful for\n             informing decision makers of large-scale trends and possible threats concerning the existence of\n\n\n\n\nwww.oig.dhs.gov                                            18                                                         OIG-13-95\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n\n           unsupported (end-of-life) operating system and softwilre. The feeds also provide useful (though\n           rough) situational awareness data regarding the types of monitoring tools being used and the\n           fullness of current implementations.\n\n           Resources are assigned and analysis is underway in order to glean additional useful vulnerability\n           data from the feeds. However. the CyberScope data feeds must be seen as a transitional activity\n           ill the bigger picture ofCDM. The feeds constitute an important fi rst step in achieving the\n           eflietprise view esscnliallu a sm;cessful continuous monitoring program. The alignment nftools,\n           standards, resources, govemanL:c, and operations needed to bring about the feeds constitute a\n           significant early success and critical baseline in the c:vu lution of COM.\n\n           Additionally. the CPM branch in coordination with COM program resources will produce a\n           transition plan. The Transition Plan will identify thc tasks and activities involved in moving\n           from the Cyberscope data feeds to the COM dashboard. The Tronsition Plan will include thc\n           foll owing elements: a scope statement addressing background information on the project, il\n           de~cription orthe relationship oflhe project to other proj ects andlor organizations, m aintenance\n           resources, and identi fica tion of the transition team\' s responsibilities. It also includes the\n           deployment schedule, resource estimates, management controls, reporting procedures, and risks\n           and contingencies.\n\n           RetOlDlIlcndatioll 5: E~ t(:lblish a process to ensure that all CyberScope contractor system\n           administrators have received adequate security training in compl iance with applicable DHS,\n           OMB, and NIST guidance.\n\n           Response : Concur. FNR is developing a SOP that defines the proccdural controls for tracking\n           CyberScope administrators-to ensure training meets or exceeds applicable DHS, OMB, and\n           NlST guidance.\n\n           Retommendation 6: Tmplement nil required DHS baseline configuration settings on the\n           CyberScope database.\n\n           Response: Concur. The CyberScope system operators are expected to adhere to all required\n           OHS baseline configuration settings. CyberScope, like any other hosted application is subject to\n           configuration management po lici e~ and pruccdures. Furthennore, CyberScope is subject to\n           continuous vulnerability scanning and configuration aud its. FNR provided documenlalion Lo the\n           O IG in early March that addresses the remaining find ing. PNR continues to work within DHS to\n           ensure that all DHS baseline configuration settings arc set and maintained within CyberScope.\n\n           Again, we thank you for the opportunity to review and provide comment on this draft report, and\n           we look torward to working with you on future homeland security engagements.\n\n\n                                                             ~ereIY\'\n\n                                                                suza~a~i~\n                                                                Acting Undt:r Secretary\n\n\n\n\nwww.oig.dhs.gov                                            19                                                   OIG-13-95\n\n\x0c                       OFFICE OF INSPECTOR GENERAL\n                          Department of Homeland Security\n\n\nAppendix C\nMajor Contributors to This Report\nChiu-Tong Tsang, Director\nAaron Zappone, Team Lead\nThomas Rohrback, IT Specialist\nMichael Kim, IT Auditor\nPachern Thapanawat, IT Auditor\nSheldon Liggins, IT Auditor\nSwati Nijhawan, Referencer\n\n\n\n\nwww.oig.dhs.gov                        20                   OIG-13-95\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix D\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nUnder Secretary for Management\nUnder Secretary, NPPD\nGeneral Counsel\nExecutive Secretary\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nChief Information Officer, DHS\nChief Information Security Officer, DHS\nChief Information Officer, NPPD\nChief Information Security Officer, NPPD\nActing Chief Privacy Officer\nDirector, Compliance and Oversight, DHS OCISO\nDirector, GAO/OIG Liaison Office\nAudit Liaison, CIO, DHS\nAudit Liaison, CISO, DHS\nAudit Liaison, NPPD\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                               21                        OIG-13-95\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'